ANOTHER DAY, another dodgy Android app discovered, this time in the form of the personal data leaking ai.type Keyboard.
Uncovered by security researchers at Kromtech Security Centre, the keyboard app that offers an alternative to the native keyboards on Android and iOS devices was found to be extracting personal data from some 31 million users and flinging it over to an unsecured database server owned by the app's co-founder Eitan Fitusi.
The data leak, according to the researchers, only affects the app on Android and not iOS, so iPhone users can keep feeling smug.
After the researchers apparently repeatedly tried to contact Fitusi, the app maker eventually added password protection to the database that held more than 577GB of user data, after it had been previously been left open to anyone who wandered by on the digital highways of the internet.
Had any of the malicious types that lurk on the web found the server they could have extracted all manner of user data, from full names, email addresses, and location, basically a treasure trove of information for people who get their kicks from identity theft and fraud.
Furthermore, security researcher Bob Diachenko noted that the app seemed to hoover up quite a lot of data for what would appear to be a simple keyboard tool.
"It raises the question of why would a keyboard and emoji application need to gather the entire data of the user's phone or tablet? Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application," he said.
Now it's worth pointing out that the ai.type Keyboard app does note that it'll suck up data and requires permissions to the user's mobile contacts database, though it points out that "all information is locally stored on smartphone's vocabulary".
And the app touts privacy as a big focus, noting that text tapped into the keyboard is private and encrypted.
But the security researchers found that this isn't the case, given that not only was there an unsecured server sitting full of user data, but the texts weren't encrypted either as they were able to download and look through the database files where they found a table containing 8.6 million entries of text that had been typed into the keyboard app.
So pretty much the promise of privacy, which ai.type outlines on its website has appeared to have a strong whiff of BS.
Whether the data protection and encryption failings are deliberate or just down to some server setup fumbling, is still up for debate. We've attempted to contact ai.type for comment and clarification as to what the hell it was playing at.
Such breaches in data protection are worrying as ai.type Keyboard is a widely used app that's been well reviewed and comes from a legit developer, basically raising the question as to who can you trust these days. We'll console ourselves by sticking with default keyboards for the time being. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe